Difference between revisions of "Setting up Samba as a Standalone Server"

m (/* Grammar)
m (/* remove un-required setting)
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
In some environments, such as a home network, or to temporarily share folders on a host that is not part of a domain, you may not want to setup an [[Active_Directory_Domain_Controller|Active Directory]] or an [[NT4_Domains|NT4 domain]]. In the following, we will setup a Samba standalone installation with a share that is accessible anonymously (guest access), and a second one that requires authentication against a local user database on the Samba host. To setup share permissions, it is useful to read the documentation about [[Shares_with_POSIX_ACLs|shares with POSIX ACLs]], as well as [[Shares_with_Windows_ACLs|shares with Windows ACLs]]. Of course, a standalone server can also act as a print server. See [[Print_server_support|print server support]] for information how to set up.
+
In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an [[Active_Directory_Domain_Controller|Active Directory]] or [[NT4_Domains|NT4 domain]].
  
'''See the [[Server_information_used_in_documentation|server information used in documentation]] page for the paths, hostnames, etc used.'''
+
The following documentation describes how to set up a Samba standalone server providing:
 +
* a share that is accessible anonymously (guest access).
 +
* a share that requires authentication against a local user database on the Samba host.
  
  
Line 9: Line 11:
  
  
= A basic smb.conf =
+
= Creating a Basic smb.conf File =
  
The following configuration is a minimal setup for a standalone Samba server installation:
+
The following is a minimal configuration for a Samba standalone server:
  
 
  [global]
 
  [global]
        workgroup = WORKGROUP
 
        netbios name = SA
 
 
 
         map to guest = Bad User
 
         map to guest = Bad User
 
   
 
   
Line 34: Line 33:
 
         path = /srv/samba/demo/
 
         path = /srv/samba/demo/
 
         read only = no
 
         read only = no
        guest ok = no
 
  
The log parameters are not required for a minimal setup, but are helpful to locate the log files and increasing the log level, in case of problems. The above example includes a share that is accessible without authentication. Guest shares can be a security problem! Imagine one on a laptop, that is connected to different networks (home, school, work, etc.). So please use it with care! If you're not planning to provide anonymous (guest) access to shares, the "map to guest" parameter can either be removed or set to its default ("Never").
+
* You can set a workgroup name with <code>workgroup = xxxxxxxx</code>, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
 +
* The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
 +
* Whilst this is only a minimal smb.conf, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.
 +
 
 +
 
 +
{{Imbox
 +
| type = warning
 +
| text = The example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users.
 +
}}
  
 +
If you are not planning to enable anonymous (guest) access to shares, remove the <code>map to guest</code> parameter.
  
  
  
  
= Create a local user =
 
  
If you want to provide non-anonymous shares on your standalone host, it is required that the users are created locally on the Samba host <u>and</u> in the Samba database. By default Samba uses the tdbsam backend, this stores its database file, passdb.tdb, inside the private directory (/usr/local/samba/private/), unless you have defined a different path via the "passdb backend" parameter.
+
= Creating a Local User Account =
  
 +
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the <code>tdbsam</code> back end and stores the database in the <code>/usr/local/samba/private/passdb.tdb</code> file. Optionally set a different location in the <code>smb.conf</code> file using the <code>passdb backend</code> parameter. See the <code>smb.conf 5</code> man page for details.
  
* Step 1: Create a local Unix user account
+
* Create a <code>demoUser</code> account on the local system:
  
 
  # useradd -M -s /sbin/nologin demoUser
 
  # useradd -M -s /sbin/nologin demoUser
  
:This command adds a local account named "demoUser" without creating a home directory. Omit "-M", if you require a home. It's not necessary to assign a valid shell to the account if no local logins (e. g. via SSH) are required.
+
:Omit the <code>-M</code> parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
 
 
  
* Step 2: Enable the local account
+
* To enable the <code>demoUser</code> account on the local system:
  
 
  # passwd demoUser
 
  # passwd demoUser
Line 61: Line 67:
 
  passwd: password updated successfully
 
  passwd: password updated successfully
  
:This password is valid only for the local account and not for Samba access. That one is assigned in step 3. A local password is required - otherwise the account will stay in a locked state and a login via Samba will be denied. Having a password assigned to a Samba-only account won't be a problem, because we didn't define a shell in step 1. In this case, local logins are denied.
+
: Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
 
 
  
* Step 3: Add the account to the Samba database
+
* Add the <code>demoUser</code> account to the Samba database:
  
 
  # smbpasswd -a demoUser
 
  # smbpasswd -a demoUser
Line 71: Line 76:
 
  Added user demoUser.
 
  Added user demoUser.
  
:To enable an Samba account, it is necessary to set a password. This one is required for authentication against Samba.
+
:The password assigned in these steps is the one used by the user to log in to the domain.
 
 
  
* Step 4: Enable the account in the Samba database
+
* To enable the Samba account:
  
 
  # smbpasswd -e demoUser
 
  # smbpasswd -e demoUser
Line 83: Line 87:
  
  
= Create a local group (optional) =
+
= Local Group Management =
  
* Step 1: Create a group "demoGroup"
+
* To create a <code>demoGroup</code> group:
  
 
  # groupadd demoGroup
 
  # groupadd demoGroup
  
 +
* To add the <code>demoUser</code> account to the group:
  
* Step 2: Add account to group
+
  # usermod -aG demoGroup demoUser
 
 
  # usermod -G demoGroup demoUser
 
  
  
Line 98: Line 101:
  
  
= The shared directories =
+
= Creating the Shared Directories =
  
If the shared directories do not already exist, you will need to create them:
+
To create the shares directories:
  
 
  # mkdir -p /srv/samba/guest/
 
  # mkdir -p /srv/samba/guest/
Line 107: Line 110:
  
  
= Setting ACLs on shared directories =
+
= Setting ACLs on the Shared Directories =
  
POSIX ACLs will be used in the following examples. See [[Shares_with_POSIX_ACLs|shares with POSIX ACLs]] for further information.
+
Set the following POSIX permissions:
  
 
  # chgrp -R demoGroup /srv/samba/guest/
 
  # chgrp -R demoGroup /srv/samba/guest/
Line 117: Line 120:
 
  # chmod 2770 /srv/samba/demo/
 
  # chmod 2770 /srv/samba/demo/
  
Those ACLs allow write access to group "demoGroup". Accounts, who are not members of the "demoGroup" group, will have only read access on the guest share and no access on the demo share. Additionally we set the SGID bit - represented by the first bit ("2") in "2770" and "2775". This permission defines that the group is inherited on all new files and directories from the parent folder, instead of setting it to the users primary group.
+
This configures write access to members of the <code>demoGroup</code> group in both directories. Other users have read access in the <code>/srv/samba/guest/</code> and no access in the <code>/srv/samba/demo/</code> directory. The SGID bit - represented by the first bit (<code>2</code>) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.
 +
 
 +
For further information, see [[Setting_up_a_Share_Using_POSIX_ACLs|Setting up a Share Using POSIX ACLs]].
  
  
Line 123: Line 128:
  
  
= Start Samba =
+
= Starting Samba =
  
Start Samba by using the intended way of your OS (init script, systemctl command, etc.) or start the daemon manually:
+
Start the <code>smbd</code> daemon:
  
 
  # smbd
 
  # smbd
 +
 +
Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.
  
  
Line 133: Line 140:
  
  
= Testing =
+
= Testing the Share Access =
  
* Accessing the "demo" share as user "demoUser":
+
* Access the <code>demo</code> share as user <code>demoUser</code>:
  
 
  # smbclient -U demoUser //SA/demo
 
  # smbclient -U demoUser //SA/demo
Line 148: Line 155:
 
  smb: \> quit
 
  smb: \> quit
  
 
+
* Access the <code>demo</code> share as guest. The access is denied:
* Accessing the "demo" share as guest will be denied as expected:
 
  
 
  # smbclient -U guest //SA/demo
 
  # smbclient -U guest //SA/demo
Line 162: Line 168:
 
= Advanced share settings =
 
= Advanced share settings =
  
Find below some typical advanced share configurations. See the smb.conf man page for detailed information about the parameters used.
+
This section describes some advanced share configuration parameters. For further information about the used parameters, see the <code>smb.conf (5)</code> man page.
  
  
  
== Force parameters ==
+
== Using the <code>force</code> Parameters ==
  
 
  [demo]
 
  [demo]
 
         path = /srv/samba/demo/
 
         path = /srv/samba/demo/
 
         read only = no
 
         read only = no
        guest ok = no
 
 
         force create mode = 0660
 
         force create mode = 0660
 
         force directory mode = 2770
 
         force directory mode = 2770
Line 177: Line 182:
 
         force group = demoGroup
 
         force group = demoGroup
  
The two "force ... mode" parameters, force exactly those modes on new files and directories. The force user/group parameters map all connections to the given user/group. Please notice, that this can raise serious security issues - especially if the share is accessible anonymous!
+
The <code>force create mode</code> and <code>force directory mode</code> parameters force Samba to create new files and folders with the set permissions.
 +
 
 +
The <code>force user</code> and <code>force group</code> parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.
 +
 
 +
 
 +
 
 +
== User and Group-based Share Access ==
 +
 
 +
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_User_and_Group-based_Share_Access|Configuring User and Group-based Share Access]].
 +
 
  
  
 +
== Host-based Share Access ==
  
== User/group based share access ==
+
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_Host-based_share_access|Configuring Host-based Share Access]].
  
See [[Shares_with_POSIX_ACLs#User.2Fgroup_based_share_access|user/group based share access]].
 
  
  
  
== Host based share access ==
 
  
See [[Shares_with_POSIX_ACLs#Host_based_share_access|host based share access]].
+
----
 +
[[Category:Standalone Server]]

Latest revision as of 18:33, 14 August 2019

Introduction

In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an Active Directory or NT4 domain.

The following documentation describes how to set up a Samba standalone server providing:

  • a share that is accessible anonymously (guest access).
  • a share that requires authentication against a local user database on the Samba host.



Creating a Basic smb.conf File

The following is a minimal configuration for a Samba standalone server:

[global]
        map to guest = Bad User

        log file = /var/log/samba/%m
        log level = 1


[guest]
        # This share allows anonymous (guest) access
        # without authentication!
        path = /srv/samba/guest/
        read only = no
        guest ok = yes

[demo]
        # This share requires authentication to access
        path = /srv/samba/demo/
        read only = no
  • You can set a workgroup name with workgroup = xxxxxxxx, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
  • The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
  • Whilst this is only a minimal smb.conf, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.


If you are not planning to enable anonymous (guest) access to shares, remove the map to guest parameter.



Creating a Local User Account

To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam back end and stores the database in the /usr/local/samba/private/passdb.tdb file. Optionally set a different location in the smb.conf file using the passdb backend parameter. See the smb.conf 5 man page for details.

  • Create a demoUser account on the local system:
# useradd -M -s /sbin/nologin demoUser
Omit the -M parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
  • To enable the demoUser account on the local system:
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
  • Add the demoUser account to the Samba database:
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The password assigned in these steps is the one used by the user to log in to the domain.
  • To enable the Samba account:
# smbpasswd -e demoUser
Enabled user demoUser.



Local Group Management

  • To create a demoGroup group:
# groupadd demoGroup
  • To add the demoUser account to the group:
# usermod -aG demoGroup demoUser



Creating the Shared Directories

To create the shares directories:

# mkdir -p /srv/samba/guest/
# mkdir -p /srv/samba/demo/


Setting ACLs on the Shared Directories

Set the following POSIX permissions:

# chgrp -R demoGroup /srv/samba/guest/
# chgrp -R demoGroup /srv/samba/demo/

# chmod 2775 /srv/samba/guest/
# chmod 2770 /srv/samba/demo/

This configures write access to members of the demoGroup group in both directories. Other users have read access in the /srv/samba/guest/ and no access in the /srv/samba/demo/ directory. The SGID bit - represented by the first bit (2) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.

For further information, see Setting up a Share Using POSIX ACLs.



Starting Samba

Start the smbd daemon:

# smbd

Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.



Testing the Share Access

  • Access the demo share as user demoUser:
# smbclient -U demoUser //SA/demo
Enter demoUser's password: Passw0rd
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
smb: \> ls
  .                                   D        0  Sun Jan  3 21:00:00 2016
  ..                                  D        0  Sun Jan  3 19:00:00 2016
  demo.txt                            A        0  Sun Jan  3 21:00:00 2016

		9943040 blocks of size 1024. 7987416 blocks available
smb: \> quit
  • Access the demo share as guest. The access is denied:
# smbclient -U guest //SA/demo
Enter guest's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
tree connect failed: NT_STATUS_ACCESS_DENIED



Advanced share settings

This section describes some advanced share configuration parameters. For further information about the used parameters, see the smb.conf (5) man page.


Using the force Parameters

[demo]
        path = /srv/samba/demo/
        read only = no
        force create mode = 0660
        force directory mode = 2770
        force user = demoUser
        force group = demoGroup

The force create mode and force directory mode parameters force Samba to create new files and folders with the set permissions.

The force user and force group parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.


User and Group-based Share Access

See Configuring User and Group-based Share Access.


Host-based Share Access

See Configuring Host-based Share Access.